In AEM, we have both secured pages as well as public pages. Dispatcher provides the capability to cache all the pages but dispatcher doesn\u2019t know about secured or un-secured pages, so it serves all the pages to an Anonymous user. To get rid of this problem, dispatcher needs to know whether a page is to be served to a particular user. In AEM, Permission Sensitive Caching(PSC) provides this functionality which enables you to cache secured pages. Dispatcher checks user\u2019s access permissions for a page before displaying the cached page.<\/p>\n
So, when any request comes to the dispatcher, it hits an AEM servlet to check the user permission.<\/p>\n
<\/p>\n
Let\u2019s elaborate PSC integration with AEM 6.4 and Dispatcher 2.4.<\/p>\n
a. Add this code in publish-farm :<\/p>\n
\/auth_checker\r\n {\r\n # request is sent to this URL with '?uri=<page>' appended\r\n \/url \"\/content.pagePermission.getPermission\" \r\n # only the requested pages matching the filter section below are checked, all other pages get delivered unchecked\r\n \/filter\r\n {\r\n \/0000\r\n {\r\n \/glob \"*\"\r\n \/type \"deny\"\r\n }\r\n \/0001\r\n {\r\n \/glob \"\/content\/we-retail\/secure-pages\/*.html\"\r\n \/type \"allow\"\r\n }\r\n }\r\n # any header line returned from the auth_checker's HEAD request matching the section below will be returned as well\r\n \/headers\r\n {\r\n \/0000\r\n {\r\n \/glob \"*\"\r\n \/type \"deny\"\r\n }\r\n \/0001\r\n {\r\n \/glob \"Set-Cookie:*\"\r\n \/type \"allow\"\r\n }\r\n }\r\n }\r\n<\/pre>\nBrief description about dispatcher configuration:<\/p>\n
b.\u00a0Also, make sure allow Authorized is set to 1 under the cache configuration.<\/p>\n
\/cache\r\n{\r\n ...\r\n allowAuthorized \u201c1\u201d \r\n ...\r\n}\t\r\n<\/pre>\nNote<\/strong>: Any page path which matches the PSC filters, the dispatcher will hit AEM servlet before serving the page from cache, so wisely define filters because network calls increase on each page hit.<\/p>\n <\/p>\n
Step 2: <\/strong>Now we must create a servlet in AEM which will check if the resource or page is authorized or not for the user who requests the web content and sends response Header.<\/h6>\nBelow is the Java Servlet to which dispatcher sends HEAD request :<\/p>\n
import java.security.AccessControlException;\r\nimport javax.jcr.RepositoryException;\r\nimport javax.jcr.Session;\r\nimport org.apache.felix.scr.annotations.sling.SlingServlet;\r\nimport org.apache.sling.api.SlingHttpServletRequest;\r\nimport org.apache.sling.api.SlingHttpServletResponse;\r\nimport org.apache.sling.api.servlets.SlingSafeMethodsServlet;\r\nimport org.slf4j.Logger;\r\nimport org.slf4j.LoggerFactory;\r\n \r\n\/**\r\n* This servlet will validate that the requested page uri is accessible or not and then accordingly set the response header.\r\n*\r\n*\/\r\n@Component( service = Servlet.class,\r\nproperty = { sling.servlet.methods= \"HEAD\", sling.servlet.resourceTypes = \"sling\/servlet\/default\u201d sling.servlet.selectors = {\"pagePermission\"}, sling.servlet.extensions = {\"getPermission\"})\r\npublic class AuthcheckerServlet extends SlingSafeMethodsServlet {\r\n \r\n \/** The Constant LOGGER. *\/\r\n private static final Logger logger = LoggerFactory.getLogger(AuthcheckerServlet.class);\r\n \r\n \/**\r\n * Method to handle the HEAD request for the servlet.\r\n * \r\n * @param request - The request object.\r\n * @param response - The response object.\r\n *\r\n *\/\r\n @Override\r\n public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {\r\n logger.debug(\"Start of doHead Method\");\r\n \/\/ retrieve the requested URL\r\n String uri = request.getParameter(\"uri\");\r\n uri = uri.replace(HTML, EMPTY);\r\n \/\/ obtain the session from the request\r\n Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);\r\n if (session != null) {\r\n try {\r\n \/\/ perform the permissions check\r\n session.checkPermission(uri, Session.ACTION_READ);\r\n response.setStatus(SlingHttpServletResponse.SC_OK);\r\n } catch (AccessControlException | RepositoryException e) {\r\n response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);\r\n }\r\n }\r\n else {\r\n response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);\r\n }\r\n logger.debug(\"End of doHead Method\"); \r\n }\r\n}<\/pre>\n <\/p>\n
Step 3: <\/strong>Restart the dispatcher and you are all set up.<\/h6>\n <\/p>\n
Verification<\/strong><\/h5>\nTo check if the Permission sensitive caching is working or not, goto dispatcher.log file, this message must be present there:<\/p>\n
AuthChecker: initialized with URL ‘configured_url<\/em>‘.<\/strong><\/p>\n\u00a0<\/strong><\/p>\nTo Check the AuthChecker Servlet response, hit the following curl command:<\/strong><\/p>\n\n- Without Authentication<\/strong><\/li>\n<\/ol>\n
curl \u2013head <\/strong>http:\/\/publishserver:port\/content.pagePermission.getPermission?uri=\/content\/we-retail\/secure-pages\/pageName.html<\/strong><\/p>\nResponse:<\/strong><\/p>\nHTTP\/1.1 403 Forbidden\r\nDate: Tue, 04 Sep 2018 09:38:31 GMT\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Length: 0\r\n<\/pre>\n2. With Authentication<\/strong><\/p>\ncurl –head http:\/\/publishserver:port\/content.pagePermission.getPermission?uri=\/content\/we-retail\/secure-pages\/pageName.html –user username: password<\/strong><\/p>\n